Thursday, December 18, 2008

Teach a man to phish...

If you teach a man to phish, then he'll come to my University and make my life hell. Actually, I guess a single phisher wont make my life hell. Really all of them together aren't making my life hell, they're just making it more hellful.

A while back I reviewed Adam Shostack's book, "The New School of Information Security." One of the things he talks about in that book is user awareness training. Many of us, myself included, track security metrics such as the number of people that are completing our user awareness training rather than looking for metrics that prove the effectiveness of our training. I haven't been able to put together any studies into the effectiveness of our training because so few of my users have actually done the training. Never the less, I think this story might be interesting to some of you.

I've mentioned that we've been having a real problem with phishing email. Just this semester we have had three intrusions into our network by people that have valid credentials which they phished out of our users. The most recent one was last week. We detected the problem and locked out the account. I went through the victims mail and found where he or she had responded to the phishing message. Then I called the victim and we had a very interesting conversation. It turns out that the user was aware that our department does not ask for passwords over email. The user told me that he or she would never respond to such a message because we have put so much publicity around not responding to phishing messages. When I pointed the user to the sent item, the user said "Oh no, I remember sending this."

As we talked the user described complete bewilderment that he or she was suckered in by this. It seems like even though we had successfully educated this user, the user just automatically responded when the real thing showed up. I'm not even sure what to make of this evidence. Does this indicate that our user awareness efforts have been ineffective? You could say yes, because the user gave up the password; or you could say no because the user knew better. Was this just an isolated mistake that wont be repeated by other users? Do I need to focus more on spreading the word, or do I need to change the word that I'm spreading? It's a real head scratcher.

One thing I would like to look into is writing up a plug-in for Microsoft Outlook. The idea would be to write up some basic rules and if the message matches those rules then the Reply button would be greyed out. Maybe it would give them some warning message before they can really reply to the message. Maybe it would notify us in IT if someone responded to a suspicious message. Prevention is always better than policing, right?

Any other ideas to fight phishing when your users are just looking for a hook to bite onto?

1 comment:

NoticeBored said...

Interesting questions there.

Sounds like you have succeeded in raising awareness of the phishing incident, but evidently failed to motivate this person, at least, to change their behavior. What I'm getting at is the succession of changes that stem from awareness, since awareness alone achieves little (it's better explained by the ladder diagram on our website at

Your question about is this a one-off or do you need to do more is impossible to answer solely from the information provided, but I'd recommend doing still more on awareness, such as using this very incident as a case study piece: incidents that affect the organization and colleagues tend to hit home harder than mere puffery and FUD by the infosec or risk people, or newspaper headlines that "won't happen here" (if only!).

If you need more advice, Rebecca Herold's book "Managing an information security and privacy awareness and training program" is worth every penny. Honestly, it's stuffed with good ideas.

Kind regards,